Okay, here’s a shit story. I was doing a routine scan with ClamAV feb 4th. Out of nowhere it popped for a trojan. Thought it was a bit weird, probably a false positive. Nope. I discovered a weird .DLL in WINE, not in their repos, not something I installed. listed as .BRM for windows 6. I hashed it and ran it against everything I’d pulled from my .DLL files. No match. I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage. The program I use with WINE requires network access to authenticate and because it was for audio production, it had access to my filesystem for samples.
Broke out wireshark and confirmed they were exfiltrating data. I always have the camera covered and the Mic disabled, but only through a blacklist. As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone. They got my passport, resumes, had just downloaded all my data from google and deleted my accounts. Wedding photos, contact lists, phone numbers, Everything. Immediately unplugged the router, disconnected the modem.
Found the roommate, he uses windows 10. No security updates, no antivirus. Rooted into his machine as well. 7 foreign IPs routing traffic over privoxy, shut down all the ports, airplane mode, took his important data and burned a windows 10 iso. He’s okay now. I’m currently running photorec, foremost and autopsy on an image of my drive trying to get what I can. Reopened a bank account, changed the phone number now I’m paranoid. Network password was stupid easy (not my connection, I don’t own it) and he had it set up so everyone with the password was admin. Every machine in the house is potentially compromised. He had a whole host of web 3.0 bullshit, chinese wifi camera,(probably watching through that) old google home assistant, ps4, xbox, light controls.
We ditched the router, the people I share this place with have no idea what a computer even is and I am trying to explain to them why this is a problem. My synthesiser’s OS is based on montevista linux, I connect it to the laptop all the time. There’s a server farm out there trying to get into insecure connections. I was rooted with 32x linux using a fake .DLL in WINE, he was rooted into by a Windows 10 machine. Of course he uses an admin account for everything. I pulled a shit tonne of persistence off my computer. Cron jobs, Startup scripts for privoxy and schroot, services, grub configuration, SSH keys, User Logins, Key loggers. This is sophisticated enough that they could tailor something on a per machine basis and I never would have found it if I hadn’t been actively looking because since they schroot, none of those processes were available to me to view. I just had a funny feeling the last time I used WINE because the configuration kept updating and it normally only does that if you add a library, or make a change to the program and I hadn’t done that in a month.
I need some help, fellas because I went to the cops and the cybercrime unit stops at “He posted my nudes on Facebook.” This was not intended for me, this is meant to spread across as many machines as possible. ISP in our area recently put in fibre in a bunch of different houses and I’m worried they may be piggy backing our connection off our neighbours. How many people out there are using older versions of android with no security updates? What if they get someone who works in power generation, law enforcement, a nurse on the way to the hospital. It is so bad and I cannot get any one to listen to me. They think I’m a lunatic. Last thing, can you give me some advice on containerising applications in docker, command line docker. I’m not giving a company my personal information to use their stupid GUI and I want to cut this off at the head. No more free access to the file system, every application and all the files I use with them on their own container. How do I build something from source in a leak proof Docker environment? how do I install a web browser with no access to geoclue, date and time or files? Resources, if you can, would be incredibly helpful. I am only doing linux for 2 years as a hobby, this is out of my wheelhouse. Just a blank container with one program, so I can inspect files coming in and out of and decide if something gets access to my home directory or not. stay frosty out there.
Edit: finally figured out how to add pictures to this. You’ll notice the tree from home folder that it’s basically fucking empty. You’ll also see ventoy which I had to have to get my housemate’s stupid ASUS laptop to let me burn Microsoft’s spyware onto it. You’ll also see photorec which is currently digging through all the data left on the disk.img, you’ll also see the output of my first attempt using foremost, which failed because the disk was mounted and live. Here is the audit.txt https://files.catbox.moe/picf4y.txt If you scroll down just a little bit, you will see the poisoned .DLL and the .exe that was hidden in it. Listed as created year 2000 and 1998. I don’t use social media, like at ALL because it’s all poison. Don’t you call me a fucking liar. You have ABSOLUTELY no idea what I have been through in the last 3 days. I have talked to local police, state police, had to img my entire drive and send it to them. I have lost copies of all my personal identification documents, immigration documents, I have had law enforcement visit me repeatedly. THIS IS NOT a fucking joke.
Edit: Christ the way this website handles image hosting, I can’t. 3 days of chainsmoking, talking to cops, reinstalling OSes and explaining to a 45 year old man that your router password cannot be 1love[name of his cat that he posts about on instagram]
Here all the images in one place. Sorry, incredibly stressful period right now, I use GNUicecat and since all of my user settings are gone I don’t know what’s working and what isn’t because I haven’t had 3 hours to sit down and configure it yet:
I need a fucking smoke
Something about this post is weird as fuck and some part of this story is missing for sure.
First of all, routine scans with ClamAV. Why are you routinely scanning your system, and what’s your expectation here? In most cases system compromise happens by executing something malicious or by exploiting something on your system, For the former, an active background scanner would help, but not a routine scan, and it’s easier to just not execute suspicious stuff. For the latter, your routine scanning is worthless.
Then the compromise over a WINE DLL seems something between borderline impossible on one hand, and like a very targeted and handcrafted attack on the other hand. Sure, wine is not a sandbox, but seeing this as the point of entry for a full blown persistent RAT is weirding me out massively.
Lastly, “them” setting up seemingly good persistence on your system, yet not hiding any indicators of compromise, and then nuking everything when they are seen. Why that effort? Either set yourself up for the long run and hide, or when detected just say “eh, whatever”. This also seems weird, since on one hand there’s indication for a professional, targeted attack, and other points sound more like rookie script kiddies.
Lastly, you. You seem like a pretty confident user while getting hit like that. It just feels off.
I’m not claiming you’re lying, and I couldn’t blame you for leaving information out because of opsec. But everything about this story feels off. I kinda assume that you’ve been actively targeted, and you should ask yourself why. What information or access do you have? How have you been pwned that “easily” and where did that DLL come from? How was it placed and executed?
And this is their only post.
The wording, the story… I can’t tell if it’s a collection of google searches or someone newer to computing.
I get that someone could be stressed out by something, but this just seems odd.
I’ve seen people flip out in Red/Blue team trials, but this isn’t the same
OP… if this did happen to you, you need to calm down. Maybe with professional help. Then come back to this when you’re calm.
yeah, I’m not saying its fake but it does read just like a linux-horror creepypasta
After watching a handful of videos about scam and hack houses in India, this isn’t far off. A hodge podge of knowledge they’ve garnered over the years, cobbled together with scripts they’ve picked up.
That seems sort of plausible to me. It was hidden, but it’s not perfectly hidden.
My interpretation was OP isn’t necessarily the target here, but a victim of some Windows hack spreading around their shared network. It’s possible the whole network was “worth” such attention.
Yeah, it might be that another system in the network was the initially compromised system, but I’m questioning whether Windows malware would be able to spread over wine to a unix machine to actually cause damage there. But that’s an attack vector I literally have zero idea about, just kinda seems suspicious.
And yeah, everything in OPs story is absolutely plausible, but it’s more of a gut feeling given the provided information that it just feels off. I might be fully in the wrong here, and they’re the unluckiest random person to ever have touched a unix machine, I don’t know. Definitely curious how this will develop though.